The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands, such as wiki-commit.sh and wiki-issue-log.sh, using parameters derived from external 'capture' files (e.g., <capture title>). If a capture file is maliciously crafted with a title containing shell metacharacters (e.g., ; rm -rf /), it could lead to arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted 'capture' data and uses it to drive agent logic and file operations. Ingestion points: The agent reads the body and frontmatter of capture files from the ${WIKI_CAPTURE} location. Boundary markers: The skill relies on standard Markdown frontmatter delimiters but lacks explicit instructions to the agent to disregard instructions potentially embedded in the capture body. Capability inventory: The agent has broad capabilities including reading/writing files, executing several local shell and Python scripts, and managing a Git-based wiki repository. Sanitization: There is no evidence of sanitization or validation performed on the capture data before it is interpolated into shell command strings or used to influence the agent's wiki-processing logic.

karpathy-wiki-ingest